Tuesday, 31 May 2011

If you were passing through Hoxton’s “silicon roundabout” last Friday and wondered why the traffic was a little easier than usual, it could have been because a good number of the folk that may well frequent such parts had cycled over to the Institute of Mechanical Engineers, Westminster, to attend a debate organised by those good folks at Demos and the Open Society Institute. Billed “Through a web darkly: does the internet spread democracy or ignorance?” the event was chaired by Ben Hammersley (Editor-at-large of Wired UK and founder of the Campus Party,) and featured Evgeny Morozov (author of “The Net Delusion: The Dark Side of Freedom and the Internet”), Dan Hind and Tom Chatfield.

All of these guys have got pretty extensive internet profiles, so I won’t comment on their credentials. Some of the points raised were very interesting, and ones which I need to think about in some depth. Evgeny made the simple point about behavioural advertising - that, thanks to algorithm techniques, the web becomes more a personalised, we are more frequently directed to information that we agree with, but is this leading to the politicisation of defaults?

He also remarked that the Government’s transparency agenda is somewhat flawed in that we will never be able to get all of the relevant information on the internet, but this is leading to a problem with rise of the conspiracy theorists, who will always be able to point to the absence of some information to establish a convincing narrative that they affirm too, but which may be well off the actual truth.

In terms of the technical ease with which rumours can be translated into fact, it’s now probably far cheaper to hire a team of 100 bloggers to create noise potential America presidential candidates can appear to be doing quite well among the electorate, despite their obvious lack of political gravitas.

Dan Hind supplied my favourite quote of the afternoon though, which was a chant that he had picked up being shouted by the protesters in Tahrir Square in Egypt during the recent civil uprising which led to the demise of former President Mubarak in February. A small group were heard to chant: We are the girls who chat to the boys on Facebook. For them, freedom was being able to admit an activity that was forbidden. The little things we take for granted in the UK, yet freedoms not yet properly won everywhere. And no, that's not them chanting that chant in the image. These girls are obviously protesting about something much more acceptable to whoever is reading this. So there's no need for members of the Egyptian army to arrest them and require them to undergo virginity checks.

Politics even entered sport and the football terraces. (Well, fancy that, I hear you exclaim). At one international match, the Tunisian football supporters were heard to tease their Egyptian counterparts for not getting rid of their dictator fast enough; We’ve got rid of ours, so why haven’t you got rid of yours? was the refrain.

Dan also made the point that the Egyptian authorities made the fatal mistake, during the uprising, of closing down the national broadcasting media - which resulted in people coming out into the streets for their news, and passing on news and current affairs stories in a way that could not be contained - so given similar circumstances in Blighty, I doubt that the BBC Trust will react by pulling the plug on Radio 4. We’ll be allowed to remain indoors to keep up with The Archers and Eastenders. No roaming the streets for us.

Tom Chatfield considered that, given that the internet really is only about 600 weekends old, we still have some way to travel before social mores have fully developed. But my, hasn’t it come far! Wiki leaks and Twitter may be bouncing around like stroppy adolescents, causing a bit of a rumble in the legal jungle, but time will tell. It may not be that long before someone (or something) tames these delinquents.

After all, getting down to the basics, what do we really need from Governments?

Most of us don’t need much more democracy (if that’s what you call it.)

Most of us would be perfectly happy with bread and circuses.

It was good enough for most of the Romans, and I’m sure it will be good enough for the most of us.

Well do Demos for such a thought-provoking session. There may be more in this series- and if so I’ll try and attend them.

Thursday, 26 May 2011

If you’ve got a corporate mobile phone, you may recently have received an unsolicited text message from some really dodgy outfit. I don’t know who they are, but they use the number +447821142591 to send me their spam from. The first text, which I received a couple of weeks ago, advised me that: According to our records you may entitled to £3750 for the accident you had. For more info reply CLAIM to this message. To opt out text STOP.

I have not had an accident, nor have I ever told anyone that I have had an accident. However, I decided to play along by replying CLAIM to see what happened next. Within a few minutes an advisor phoned me to take my details. It was clear that the advisor did not know who he was calling, and when pressed he explained that he had been provided with my details from a third party. I told him that I was really unhappy about having received the text, I wanted future texts to stop, I wanted to know who had supplied him with my number, and that I would be complaining to his manager about the unsolicited call. Unsurprisingly, he immediately ended the call. I never got to speak to his manager. Nor did he tell me what outfit he worked for.

Today’s text was a bit blunter: You still have not claimed the compensation you are due for the accident you had. To claim then pls reply CLAIM. To opt out text STOP.

What can corporate subscribers do to stop this stuff being sent in the first place?

Well, I could log onto the Information Commissioner’s website, read and click on the stuff that’s on the banner at top of the page telling me something about cookies, and then navigate my way to their guidance. The ICO’s banner reads: On 26 May 2011, the rules about cookies on websites changed. This site uses cookies. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about cookies on this website and how to delete cookies, see our privacy notice.

And then there’s a tick box which, once ticked, indicates that: I accept cookies from this site.

Phil Lee from Field Fisher Waterhouse has generously explained to a number of LinkedIn readers that : (i) if you don't consent to the ICO's banner, then it only drops a 'strictly necessary' session cookie (no other cookie); (ii) if you do consent, then it also drops a first party cookie to remember your consent and a third party analytics cookie; and (iii) if you later want to opt out, then I suppose you have to delete the first party consent cookie by clearing your browser cache.

I have not heard Phil comment on whether this is the best way of doing things - but full marks to the ICO for having possibly the first (and only) website in the European Union which tries to comply with the new cookie rules. That takes some courage.

Anyway, back to the plot.

The Commissioner’s guidance on such spam makes it clear that the relevant regulations are themselves defective, in that they only prohibit the sensing of unsolicited text messages to individuals, not to corporate subscribers. Some bitter irony this has turned out to be. I remember being one of those who were asked by the DTI (as it then was) to comment on what became The Privacy and Electronic Communications Regulations 2003. I pointed out this anomaly and explained that I was sure that all Service Providers would really prefer the regulations to prohibit the sending of unsolicited text messages to all subscribers, not just individual subscribers. However, the DTI disagreed. They weren’t in a goldplating mood, and probably didn’t think that business people needed to be protected like this. I do remember that the bright civil servant who was tasked with this issue didn’t have a corporate phone herself.

In terms of what can be done to reduce the likelihood of corporate phones receiving future unsolicited messages, there’s probably not much that can be done. We could try instructing staff to register their phone numbers with the Telephone Preference Service, but I’m not really sure how much good that would do.

I suspect that the telephone managers of some of the larger corporate subscribers would want their service provider to register corporate devices with the TPS as a matter of procedure rather than requesting their corporate to do it on an individual basis. But I’m not sure how easy this currently is. There must be a way though, if there’s a sufficient demand.

What I am sure of is that it’s not the service providers themselves who are providing the numbers to these grubby spam merchants. I just wish I knew who they were buying their databases from.

Misha Glenny, the award-winning author and journalist, was on sparkling form last night as he briefed a select gathering of people in the private dining room of The Ivy in Soho last night. Big thanks to my friends at Detica for so generously inviting me to the event.

Misha’s spent the last couple of years investigating the rise of internet crime and how it is linked to the growth of industrial espionage on the web, and the broader issue of cyber warfare. And in doing so, he’s met some of the most notorious criminal hackers that the courts have managed to deal with. What he had to say was gripping – and his conclusions were bleak. To develop a mantra that former Prime Minister Tony Blair used to trot out, while our politicians and investigators can try to be tough on cybercrime, I’m not at all sure that anyone can be tough on the causes of cybercrime.

I don’t want to steal (too much) of Misha’s thunder, so I won’t report in too great a detail on what he had to say. But one theme really struck me, and I reflected on it as I returned home in the early hours of this morning. What can we do to spot these budding cybercriminals? And isn’t it a shame that we won’t be able to do very much about them until it’s too late?

What factors are common to the master cyber-criminals of the globe? Misha was extremely well qualified to discuss this issue, having had the opportunity to meet some of the finest criminal minds that have emerged from places as diverse as the Ukraine, Sri Lanka, Germany, Idaho USA, Nigeria, Turkey and of course the UK. Are there common behavioural traits that lead to a shared profile?

Well, yes there are. And as Misha reeled off the list, I began to think that people with these traits could turn out either to be very very good for society, or very very bad. But probably very very rich.

So, what should we look out for?

We should look out for nerds who are obsessive game players, people who are unusually good at maths or science, who might well have a traumatic experience in their early teens, whose moral compass makes them easy pray to more experienced cybercriminals, and who have poor communication skills in the real world, but who flourish in the virtual environment.

But how can we be tough on finding nerds like this, or of imposing behavioural change on them?

Should we “lock up all geeks”, and only allow emerging adults to engage with others once they’ve become properly house trained? It’s not going to happen. If they’re not on the aggressive or anti-social verge of society then they’re simply not going to be individuals of interest to the local police forces. These geeks will simply hone their criminal traits well away from the gaze of the law enforcers whose hands (and budgets) will be focused, for political reasons, on the local yobs who will be making life miserable for the more decent members of the community. Are we doomed?

I wouldn’t bet against it.

What’s the solution – a totalitarian surveillance state – but run by the “dear ruler” for benign purposes, rather than to oppress the populace? That’s not the flavour of the month. Not even in Africa, and the Middle East, as we are witnessing today. Can society ever be tough on such nerds, so that they develop into people with a different moral compass?

Well, I wouldn’t bet any of my own money on it.

But perhaps Misha has a solution. He didn’t mention it last night, but then again nobody asked him.

Tuesday, 24 May 2011

In the space of just a few weeks, we’ve really been spoilt by those who have been appointed to rule us.

Not only have we been given the Statutory Instrument that implements the new cookie rules, and guidance from the Information Commissioner’s Office about the steps that need to be taken in order to comply with the rules, but our very own Minister has even just written us an open letter setting our minds at rest about some of the issues that were immediately raised by those who had digested the previous documents – and didn’t quite understand what was meant (or what should be inferred) from the text of the Statutory Instrument.

So, our compliance tool kit now comprises:8 pages of regulations2 pages of explanatory notes to the regulations 9 pages of ICO guidance6 pages of DCMS guidance1 "know your cookies" audit spreadsheet, prepared by our friends at Barclaysand, in a few weeks time , we can expect some more pages of ICO guidance on other matters covered by the Statutory Instrument.

Good going, well done.

A few of the usual data protection suspects huddled together after this evening's meeting of the Digital Economy Act All Party Parliamentary Group, which had actually met in Portcullis House to consider the future of mobile services, data roaming and spectrum. The general consensus was of considerable gratitude that Ed Vaizey, our Minister for Culture, Communications and Creative Industries had been so bold as to put his name to a document that has quite firmly established the Government’s direction of travel. The message to those who doubt the British pragmatic approach is, basically: get real. Or as Ed put it, much more elegantly in his open letter: we remain firmly convinced that the UK implementation is correct that it is good for business, good for consumers and addresses in a proportionate and pragmatic way the concerns of citizens with regard to their personal data online.

Whether the Article 29 Working Party, for example, shares his views on obtaining or expressing consent in the context of cookies, will be a debate that will rumble on for a long time. Webmasters don’t need to get prior consent for cookies, just consent. Wow. So a cookie can continue to be loaded onto a device as soon as the browser accesses the target website, just like today. Then the webmaster can seek consent. Thank goodness for that. Sanity prevails. Whether such sanity will prevail elsewhere in the EU is a matter that will only be resolved when the other Member States reveal their intentions as to how they will implement the rules. We Brits have found something that could work awfully well in practice, so let’s hope that others don’t complain too loudly that it doesn’t really work in theory.

There’s no need for me to comment on the other items covered in Ed’s letter. Plenty of others will be offering us a more detailed analysis in the comming days and weeks. Suffice to say, it’s great to realise that Ed's officials have recognised the real concern among some of those who are to be affected by the new rules. Those who wanted to comply needed some reassurance in how they should go about complying – and some of this reassurance has been forthcoming.

I doubt that Ed will continue issuing such letters, as Ministers don’t usually offer running commentaries on what their Statutory Instruments actually mean – they normally leave that up to the Judges to decide. However, I’m certain that a open letter such as the one published today will carry just as much judicial weight as a Ministerial statement in Parliament, and so for that I’m very grateful.

As an afterthought, given the ferocity with which the Judiciary have been challenged recently over the appropriateness of issuing injunctions to prevent the press from reporting what many thousands of people have already read on Twitter and other forms of social media, Ed may be realising that, actually, these days, Ministers could have more moral authority in privacy matters than Judges.

Sunday, 22 May 2011

The new cookie rules are almost upon us and there is more than a little interest in how the term strictly necessary will be interpreted by the regulators.

The Information Commissioner’s Offices’s first attempt seems a little harsh: The use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

The formal dictionary definitions suggest concepts that embrace exact or precise; not loose, vague, or broad, following or enforcing a rule or rules with great care; punctilious; closely enforced or rigidly maintained; disciplining rigorously or severely.

But all hope is not lost! The English language is a gloriously flexible language, and meanings of words can change pretty quickly. Even the meaning of words like strictly.

After all, who would have thought that the hit BBC competition “Strictly Come Dancing was actually judged on the quality of the dancing? Back in November 2008, John Sergeant reportedly pulled out of the competition over fears he may actually win the show. And how good a “dancer” was he? Well, in one of the funniest Strictly dances ever seen, he dragged his partner Kristina Rihanoff around the floor in his Paso Doble. Some dance that was.

So, let’s hope that the ICO has the same sense of pragmatism as the BBC executives evidently had, and that they will allow the participants themselves to decide what they feel is sufficiently strictly necessary when it comes to interpreting the new cookie rules.

My bet is that the definition of strictly will loosen up pretty quickly.

Side Note:By the way, this is not the first time that the ICO has been asked to advise on a strictly issue. Our chums in Wilmslow were asked to rule on an Freedom of Information matter, not a Data Protection one, a little while ago. This was all about whether the public were allowed to know the actual numbers of votes that had been cast each week for the various contestants. Emails passed between BBC television centre and the ICO, and then the following information was published on the BBC’s website: We invite you to vote for the dancers that you liked best, based on their performance in each show and during the series. Releasing voting figures could affect the way that people vote, and also have an impact on the participants. We therefore do not disclose the exact voting figures. Although the BBC is subject to the Freedom of Information Act, information which is closely connected to our programme-making is not covered by the Act. The Information Commissioner, who regulates the Act, has confirmed that information about Strictly Come Dancing voting is not covered. We are therefore not required to disclose the voting figures under the Act.

An extremely interesting debate was held at Australia House in Central London last Thursday. Hosted by Dtex, a company which assists organisations to control the flow of data via the delivery of a “Know Your Insiders” programme, the message was probably not one that those who are responsible for developing and enforcing the soon-to-some-into-force Electronic Privacy Regulations would have wanted to hear.

What do I mean?

Well, we all know that next week heralds the coming into force of new regulations which, among other things, change the rules around cookies. But I've said enough about cookies recently. This blog posting comments on the new rule changes to compulsory breach notification.

Regulation 5 relates to the notification of personal data breaches by Communication Service Providers. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user. Late breach notifications may result in the Information Commissioner imposing a fixed civil monetary penalty of £1,000 on the Service Provider.

There are two problems with this concept.

First, there is no list of Communication Service Providers in the UK, so it is not clear just how many organisations will be affected. I really don’t know how the Information Commissioner will take action against companies who fail to comply with the breach notification requirements, especially when his staff won't even know who he is expected to check up on. Of course, they will know all about the big Service Providers – but what about the smaller ones, whose security standards may well be those that are more suspect? Think, for example of the case of the firm that incurred the latest fine from the Commissioner. ACS Law were barely plankton in the legal ecosystem – yet the owner of the firm still managed to cause the liklihood of siginficant damage being inflicted on thousands of people!

Second, and more importantly, the regulations require Service Providers to devote more time to reporting the most minor of mistakes, which will inevitably divert precious resources from providing advice and support to business projects that really need greater attention. If we are not extremely careful, the debate will slip back into the “security zone”, rather than get focused on the most crucial part of the whole data protection problem.

Take a quick look a the definition of a “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service;.

So it’s a breach if a single encrypted laptop or a single encrypted data stick is lost? Despite the fact that no damage has been done to any “victim”? Or, in a retail environment, where a passer-by overhears a conversation between a sales advisor and the customer? Even where the only “unauthorised disclosure” is the customer’s name and telephone number?

Of course it’s far-fetched. But the explanatory notes to the Statutory Instrument do state that all breaches have to be reported to the ICO. (Just as users are apparently expected to have to consent to all cookies that are not strictly necessary on websites, but that’s another pet gripe of mine that is the focus of my next blog entry.)

In my view, this madness removes the focus on what I think is the most crucial part of the whole data protection problem. And this was the part which was the main subject of the speakers’ comments at Australia House last week.

If you are to believe the speakers, it’s not really about technical issues.

Obviously, technology can help – which was why the Australian Trade Commission were so keen to facilitate the session, which promoted the services of Dtex, an Australian company. They were also keen to ply us with some of the finest Australian wines and they most generously let us feast on Kangaroo canapés. (I kid you not!)

But, what we really need to concentrate on is people. It’s a behavioral issue, more than a technical issue. We have to focus on the human factor – but this is actually an extremely difficult thing to do.

One of the reasons it’s so hard to get board directors to focus on the importance of human behaviours is because the board members speak a language which can be alien to those who speak in terms of data protection. Board members exist to develop a strategic approach that will maximise shareholder returns – so they tend to speak in financial terms. When assessing risks to the company, they look to their Risk Steering Committees, and expect risks to be quantified in financial terms. What is the loss of “x” likely to be?

The trouble is that, in data protection terms, its really hard to quantify poor data protection standards in financial terms. How many customers really leave businesses that have had data breaches, for example? This is the sort of critical questioning that data protection managers face when they pay their concerns before the company. Where is the actual evidence that customers turn to other providers? While Larry Ponemon has done some amazing work in this area, some of his studies are getting quite depressing – a report published in March 2011, for example, predicted that: most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

So, let’s all try and keep focused on the really important stuff – which is making sure that staff know what is expected of them, that they are properly trained and are really committed to the organization. That’s what I want to spend my time doing. Not wasting anyone’s time in Wilmslow having to report the loss of an encrypted data stick, simply because it was left in someone’s trouser pocket while went through the wash cycle at home.

Those folks in Wilmslow surely have better things to do,than wait for such relatively inconsequential reports to dribble through, too.

There was a time when regulators were expected to just waste their time on tedious details around purpose notification, as data controllers diligently kept their regstration entries up-to-date. Shortly they have something else to monitor - which could be equally wasteful of their scarce recources.

Image credit:This image is taken from the Monty Python comedy sketch: 100 Yards Dash for People with No Sense of Direction – part of the 27th Silly Olympiad. The starting gun goes off and everybody starts running, very fast. They run up to the high jump, disc throw, hamburger stand, and John Cleese goes powering out of the stadium and up a busy high street. As he’s running a reporter asks him about his progress. He shouts: “I’m getting there, getting there!” http://www.funnyordie.com/videos/284b7cef6e/monty-python-silly-olympiad-from-montypythonfan

Saturday, 14 May 2011

During a recent meeting of data protection aficionados, held under “Chatham House” rules, a phrase emerged and was increasingly repeated - and as it had an ology in it, I guess we’re increasingly embracing “data protection” as a science, rather than an art.

Wikipedia differentiates science and art as follows: Science is enterprise that builds and organizes knowledge in the form of testable explanations and predictions about the world. Art, on the other hand, is the product or process of deliberately arranging items (often with symbolic significance) in a way that influences and affects one or more of the senses, emotions and intellect.

In the early days of data protection, the main emphasis seemed to lie with the phrase no sneaky stuff. Transparency was the order of the say. Not necessarily choice, but transparency. Organisations had long privacy policies which explained what consequences would follow when someone shared their personal information with that organisation. So the "art" of data protection lay in getting individuals to feel better by being reassured about what was going to be happening to their personal information.

These days, the emphasis has shifted from transparency to choice and control. In other words, generally, these days, organisations behave ethically by more actively engaging with the individual in the hope that those individuals will want to share more information which is personal to them for something which will directly (and very quickly) benefit them.

What was this phrase that has caused me to cast off my artistic rags and espouse my scientific credentials (like the Doctor who first used it during the meeting)? It’s this one: the ecology of compliance.

What does it mean?

To my mind, what it means is that we are entering a world where individuals are increasingly aware of their rights, so organisations face a new set of challenges.

In the “old days” generally, most individuals didn’t really give a stuff about data protection, so the Data Protection Regulators felt that it was they who were charged with keeping organisations in line, in the general interests of society as a whole. This can be contrasted to today’s world, where individuals are increasingly aware of the advantages (and disadvantages) of having their personal details shared with other organisations, in a way that provides them with good stuff and bad stuff. In my mind, this emergence of knowledge is catching some Data Protection regulators unawares, as there is, in some EU Member States, a bit of a battle emerging. Some Regulators seem less willing to realise that individuals are now better able to make decisions for themselves. But if an individual is to be empowered to make the decision on their own, then there’s less need for the Regulator to make that decision on their behalf. And some Regulators don’t appear to like this challenge to their authority – and reason for existing.

And where does this leave the organisation?

Increasingly, it appears to leave them between a rock and a hard place.

Just as servants find it hard to serve two masters, organisations can find it hard to meet the expectations of both the regulators and their customers.

Instinctively, the organisation would really want to concentrate on the meeting (and exceeding) expectations of their customers. After all, if they don’t attract customers, they generally find it awfully hard to remain in business. So, when the regulator imposes rules which make it harder for the organisation to engage with their customers, sparks will fly. And that’s a direction I think we’re in danger of heading in.

Do I have any evidence of this difference of emphasis between customers and regulators? Well, let’s consider what’s going on in Germany and Switzerland at the moment. My German and Swiss friends like Google’s Street View Service. Well, they do when they come to visit me in London. They’ve already seen a picture of my home, so they know what to look out for, and what landmarks will appear as travel to my place, to pop over for tea. If only they could have something just like that where they live, they tell me. But they don’t appear to be allowed to.

Well, I reply. Don’t tell me – tell the folks back where you live – like Swiss and German regulators, whose job is sometimes made extremely difficult by national Parliaments who have created rules which don’t appear to meet the real needs of their citizens of today. Is pragmatism a dirty word? It’s not a dirty word in the UK, but then again not everyone shares such common-sense attitudes. There could be a few too many “jobs-worths” elsewhere.

Anyway, back to the plot. My main argument is that organisations are going to increasingly have to get their crystal balls out and predict the likely consequences of their actions with greater accuracy. Fines, civil penalties and public undertakings (which all run the risk of reputational damage) are becoming increasingly common. And budgets are tight, too. But they want to provide things for customers in such a way that they’ll make repeat purchases, so that the companies can provide their staff, when that day comes, with decent pensions.

So how do organisations assess the risk of regulatory action with the risk that their customers will have a less than optimal experience, because the customers are smothered with unecessary protective measures? And how do organisations assess the risk of regulators feeling required to create safeguards that lots of customers care about not one jot? (Or, even worse, resent?)

Déjà vu – it sounds like the health and safety debate all over again. So, in future, we’ll all probably spend more time wearing our risk assessment hats, and working out, scientifically, when the risks of providing services to knowledgeable customers are outweighed by the costs that can be imposed when organisations are caught breaking outdated rules.

Image credit:Today's image is quite special. It's taken from a page of Charles Darwin's notebooks around July 1837, showing his first sketch of an evolutionary tree of life. The words I think, in his own handwriting, is some of the earliest evidence that he was developing his theory of evolution.

Friday, 13 May 2011

Every once in a while, you attend an event and lay your hands on a presentation that really helps you understand what you thought you already knew. Yesterday was one of those occasions. Robert Bond, the maestro from Speechly Bircham who helped organise the International Chamber of Commerce’s session on the impending Cookie Regulations, had slipped a mighty fine presentation into the goodie pack that awaited the delegates. Not only did we get to hear from someone who was partly responsible for the legislation (as a Member of the European Parliament, and someone from the Department of Media Culture & Sport who had helped write the implementing legislation), we also got to hear from someone who was going to be enforcing the regulations and, just as importantly, from some of those who were trying as hard as they could to ensure that their businesses understood and could meet their new obligations.

Robert had evidently been awfully nice to his friends at Barclays, who had very generously provided him with material for a stunning presentation which, in less than 40 slides, cut to the core of the issue and set it out in terms that even a Board Member could understand. That’s no mean feat. No waffle, no embellishments, just a set of slides which explained in simple language just what all this stuff is really about.

Marvellous.

I just wish I had thought of presenting the issues in those terms. Well, I will, from now on!

I’m not going to steal Robert's thunder and reveal all the information on the slides here. That would be rude. If you want to know what I now know, you’re going to have to awfully nice to him, or alternatively, awfully nice to your friends at Barclays.

But to give you a taster of why its important you should try and get a presentation like this in front of your own Board, here’s the contents slide: • What are cookies?• What’s inside a cookie?• Different types of cookies and their characteristics• When are cookies sent?• First and third party cookies• What is the role of cookies?• How many cookies can a website give?• Dispelling some common myths about cookies• Online behavioural targeting and advertising

It’s just what you need your business leaders to know.

And, let’s be honest, it’s just what we all need to know, too. Sometimes we can be afraid to admit to the extent of our own ignorance in these areas – but after reading this presentation, you’re not going to be ignorant any longer.

Here endeth the advert.

Many thanks to Stephen Pattison (Director of the UK arm of the International Chamber of Commerce) and also to Ian Twinn (from ISBA, the voice of British advertisers) for their interventions. They both helped ensure that it was an extremely successful event. They also helped uncork a bottle or two once the formal session had ended.

I’ll be keeping my eye open for other ICC events – when they attract delegates of the calibre that turned up yesterday, you know you’re in good company.

Wednesday, 11 May 2011

It’s official. New rules will take effect in less than two weeks. It’s not often that the “business friendly” Coalition Government finds itself in the position of imposing huge changes on extremely significant parts of the economy with virtually no notice whatsoever. In my experience, it’s only the Inland Revenue that can get away with such major changes in such a short timescale.

So let’s get real here. It’s not going to happen.

And, in the UK, we are the “lucky ones”. There are rumours of possible changes in a couple of the other Member States, but most of the European Governments are as concerned at hitting the EU Commission’s deadline of 25 May as they are about winning the Eurovision song contest.

I think I detect a theme here. As Corporal Jones from Dad’s Army used to urge: Don’t panic.

Take a look at the relaxed grins on the faces of those awfully clever people at Department of Culture, Media and Sport, who have miraculously transposed the Directive into UK law just in time. (Well, it will be law once it’s clear that Parliament isn’t going to perform a U-turn and withdraw it). And then take a look at the twinkle in the eyes of those awfully industrious people at the Information Commissioner’s Office, who have laboured night and day to publish stuff on the internet which indicates what they really think of the rules. And then ask yourself "wow, if they’re not worried, then what have I got to be worried about?"

If we’re not careful we’ll all turn into a group of fundamentalists who believe that the demands of the Directive are written in tablets of stone, from which no deviation is possibly permitted.

In a free society, we don’t work like that anymore. Just as citizens can rebel against their Governments, web masters will point out that some of the words in the Directive just don’t make any sense, so they’re not going to meekly comply until their human rights have been respected, too.

Am I calling for an all-out strike here? Or a work to rule? Of course not.

I’m not calling for a sprint to the compliance podium, with the requirement that everyone complies before 25 May. Instead, I’m calling for a reasoned debate on how webmasters can meet the legitimate aspirations of the customers who access their on-line portals, to give them transparency, choice and control over the stuff that really matters. And, I’m calling for those who will be enforcing the Directive to cut some slack with the webmasters, and allow them to be creative and push the barriers out when it comes to deciding how to tailor the user’s visit to the website, to give them a great experience. Which means not overwhelming the poor user with a snowstorm of cookie warnings and other tick boxes that can so easily ruin what should be a wonderful on-line experience.

AIM – keep customers happy and keep the European Commission off our backs.

PLAN – 1. Demonstrate to the regulator that despite being given virtually no notice whatsoever, we care about compliance. Do this by asking contacts within the business to identify who actually operates the business websites, and whether they know how these websites are constructed.2. A few months later, suggest to the IT / Sales Department that there really ought to be someone in charge of these websites, and that it would be helpful to know their name so that we can get them to find out what they are really in charge of.3. Require the person in charge of the websites to carry out an audit of the different types of cookies that are currently on them.4. Read the guidance that ought to have been prepared by then which categorises these cookies into various types. They are likely to include categories where the webmaster has a legitimate interest in using cookies (as they help provide a great user experience), and categories of cookies which basically track the user when they’re doing other stuff on the internet (which is information that the business or a 3rd party finds useful and can derive some commercial value from, so the user does not have to be charged a fee to access the main website). 5. Check the ICO’s website to see how the guidance on cookies has been revised. We’re only on version 1 now. We’ll probably see a few more versions slip out as the months roll on. 6. Thank your fellow industry colleagues for having the courage to interpret the term “strictly necessary” in a way that makes common business sense, given the prevailing technologies. Support them if (ok, when) they run into any significant resistance from some European regulators, whose understanding of that term causes problems.7. Follow the market leaders (Google, Amazon, Tesco, EverythingEverywhere etc).8. And, until you get past point 3, keep reminding the regulators that we do care about compliance, but we also need to take a little time in making sure we’re all creating the best possible experience for our customers.

Finally, don’t be downhearted. Sing along to the words of the Cookie Compliance Song. Keep a smile on your face and let’s hope that Paul Simon or Art Garfunkel won’t get too upset at the liberties we’re taking with their wonderful 59th Street Bridge Song.

Back to the 1960’s, kick off those sandals, and stick flowers in your hair.

Now take a deep breath and sing (and also clap your hands):

Slow down, you movin' too fastYou gotta make this moment lastJust kickin' down the cobblestonesLookin' for fun andFeelin' groovy____________

Got no deeds to doNo promises to keepI'm dappled and drowsy and ready to sleepLet the EU drop all its directives on me...Just wait for guidance, we’re not up a gum tree. Life, I love you,All is groovy____________________

Tuesday, 10 May 2011

In a move that will shock many observers, the Information Commissioner has announced the level of the civil monetary penalty that will be imposed on one of the most awful solicitors of this century. Christopher Graham announced the award – and a bit of the thinking behind it – at a packed reception today in the Strangers Dining Room at the Palace of Westminster, where some of the great and the good of the Data Protection (and Parliamentary) community had assembled to celebrate the launch of the Data Sharing Code of Practice.

In an extremely astute move, Christopher Graham commanded that cake and sandwiches should not be served to us until he had finished speaking. Just as well. If our mouths had been full of any of those comestibles as he gave his explanation, I’m sure that most of us would have coughed the food onto the carpet in disbelief at what we were hearing.

Let’s be clear. Andrew Crossley, the sole practitioner of ACS Law, was involved in a business which people who are far cleverer than I have suggested was morally outrageous. If he has done even half of what he is alleged to have done, then that in itself would cause me to cross the road if I were ever to notice him coming towards me.

However, turning to the matters that were of concern to the Information Commissioner, according to the ICO's findings, he routinely handled large amounts of personal data, in an internet environment, and had used a legal assistant with no IT qualifications to research and recommend a new web-hosting company and package to him. The “home” web-hosting package cost £5.99 a month. It was never intended for significant business use, nor did it appear to provide any guarantees to the data controller in relation to the security of the personal data. So, he knew or ought to have known that failing to take professional IT advice about an appropriate web-hosting company and the implementation and development of his associated IT systems might lead to deficiencies in the data controller’s IT systems.

As a result, a large amount of personal data and sensitive personal data leaked on-line relating to around 6,000 individuals. The ICO’s findings do not specify what this data is, but friends of mine who know about these things are truly shocked at what was leaked. This information has been distributed worldwide and could be available to third parties indefinitely. The contravention was of a kind likely to cause substantial damage and distress to the data subjects.

And the fine – well, we know that civil monetary penalties are not designed to impose financial hardship on a data controller. The Statutory Code makes that pretty clear.

So, if Andrew Crossley pays in full by 6th June, the fine will be £800.

I claim more than that in expenses, some months.

As I heard the reasoning behind the decision to set the figure that low (he’s a small businessman who is fully co-operating with the ICO, and hasn’t got any money left anyway – it’s all been spent, blah blah blah) my mind turned to the work of Thomas Luis de Victoria (1548 - 1611), whose 400th anniversary we celebrate this year. He was the Andrew Lloyd Webber of his time – and one phrase from his Lamentations (composed for the Holy Saturday of the Easter festival) is particularly apt: Recordare Domine quid acciderit nobis: intuere, et respice opprobrium nostrum. For those scholars amongst us whose natural classical language is not Latin, the English translation is Remember, O Lord, what has befallen us: look and see our disgrace.

Some disgrace.

If the best the ICO is capable of doing (under the circumstances) is issuing a fine of £800 to someone as notorious as Andrew Crossley, the “custodial sentence” brigade are going to be rising forth, demanding penalties that fit the crime a little more closely than those Parliament have currently empowered the Commissioner with.

I wanted to suggest to David Davies MP, who was also at today’s Parliamentary reception, that perhaps Parliament should bring in a new punishment, to allow the Commissioner to have miscreants paraded through the streets of Wilmslow before being beaten on the bottom with a copy of the Woman’s Weekly.

If it’s a punishment that is sufficiently invigourating for Victoria Wood, then it ought to be good enough for the likes of Andrew Crossley.

Monday, 9 May 2011

I’ve just read some stuff on Twitter which reports on behaviour that is so naughty that (apparently) some English Judges have issued super-injunctions, forbidding me to let you know all about it.

So I won’t.

But I expect you know all about it anyway. You, and several million others.

It took me, thanks to Google’s brilliant search engine, less than 3 seconds to get to what others have probably paid lawyers thousands of pounds to try and suppress. And I didn't even have to go to Twitter to read it. It's been re-tweeted and had appeared on an extremely reputable website. Of course, what I might have read could have been a load of codswallop. It could all have been complete lies. But, somehow, I don’t think so. If the former model Katie Price had been mentioned, then I would have suspected that it was a load of made up tosh. But her name didn’t feature anywhere. Thank goodness for that.

Instead, I read about a smattering of television personalities, most of whom I would have failed to recognise even if they were in front of me, operating a check-out till at my local Waitrose, sportsmen (the same) and an actor (oh no, I think I would recognise that actor). They are probably all wishing that the European Commission would hurry up revising the Data Protection Directive, and give them stronger rights to be let alone.

One of the proposals contained in the European Commission’s recent plan to amend the data protection directive came from the premise that individuals should always be able to access, rectify, delete or block their data, unless there are legitimate reasons, provided by law, for preventing this.

Cummon, lets get real here. People who profit from their celebrity are going to have to work pretty hard to control all aspects of their personal behaviour in today’s online and interconnected world. And none of us are really going to want to forgo our delicious pleasure at reading about the fascinating antics of people whose lifestyles we can only dream of.

Still, lets see what’s going to happen.

If the serivce had been offered by Google, rather than Twitter, I would have expected a chorus of (varying degrees of) disapproval to have instantly erupted from the Data Protection regulators in many EU Member States. Some regulators might already probably have announced that they were contemplating significant fines, or custodial sentences, against the "Twitterati", while others might just just be thinking of asking Twitter executives to pop by for afternoon tea and a polite chat.

But Twitter? How does an domestic Data Protection regulator deal with an organisation that, being based in San Francisco, California, probably has no formal establishment in that Member State in the first place? Does it even recognise that the “foreign” celebrities face their reputations being challenged in the minds of the local citizens who can read and freely discuss what cannot be mentioned in polite society within the jurisdiction of the English courts?

Let’s see how the regulators (and the courts) play this. The challenge is on. How many people need to know about the stuff that “dare not speak its name” before they realise that the internet has won? And will this teach a lesson to those who wish to interfere with the rights of those who decide to ignore an individual who tries to block access to their data, on the grounds that the “illegitimate” act they apparently committed has affected their commercial value?

If we cherish internet freedoms sufficiently to enable citizens in various countries to spontaneously erupt against their own Governments, how can we expect the odd individual to acquire (even in a democratic society) the right to require the state to censor reports about their own less illustrious behaviours?

For just how long should you be entitled to exist, you inconvenient truth?

Sunday, 8 May 2011

Three cheers for us Brits! Good Europeans as we are, we will hit the EU’s deadline of 25 May to bring some European legislation into force to provide an even better level protection to users of communications services. I’m not too sure how many other EU member states will also hit the deadline, but I doubt that many people will care too greatly if they don’t.

Laid before Parliament last Thursday, we can now put some hot towels around our heads to work out just what this stuff actually means. Please don’t think that all you need to do is to read it to be fully appraised of the true meaning of these words. Oh no. As the Statutory Instrument seeks to amend existing regulations, you really need to have a copy of the existing regulations on one side of your desk, and these regulations on the other, and then when you read them both together some interesting things emerge.

Last time the relevant regulations were changed, the old ones were completely replaced by a new text – so there was only one document to refer to. This way of revising the regulations means a bit more work – both for me, to understand what the new ractually mean, and for people who want to work out whether any of their rights have been infringed when a Communications Service Provider, or anyone else mentioned in the, for that matter, acts in a way that may be contrary to what is to be prohibited.

What did I think was going to happen? I had expected the Coalition Government to “copy and paste” the terms that appeared in earlier Directive, as I was not expecting any “gold plating” to emerge. So I was expecting something about communications service providers being required to notify data breaches to the regulators. I wasn’t expecting the SI to require “all” breaches. I had thought that there might have been some threshold below which those chaps in Wilmslow were not to be bothered about. Well, no threshold appears in the SI – just a statement in the explanatory notes to the effect that Regulation 5 inserts a new provision into the 2003 Regulations which relates to the notification of personal data breaches. In all cases, the Information Commissioner must be notified. In some cases, the subscriber or user must also be notified where there is a risk that the breach would adversely affect the personal data or privacy of that user.”

All cases? Well, to encourage all cases to be notified, the Regulations allow the Information Commissioner to impose a fixed monetary penalty of £1,000 (reduced to £800 if the miscreant pays the fine within 21 days) for cases where an “undue delay” in notifying the Commissioner had occurred. I didn’t see that in the original Directive.

Will this lead to communication service providers adopting the same behaviours as health trusts, where even the most minor of breaches are reported? And will it lead to the Commissioner issuing press releases about these minor breaches and then requiring the heads of these organisations to sign public undertakings to get things corrected? Well, yes it might. At least with NHS trusts, there are rather a lot of them, so I doubt that the heads of these organisations will feel the wrath of the ICO’s Head of Enforcement too often. There are many fewer Communication Service Providers, however. So they could, if the Chief Executive Officers are not careful, be signing more than one public undertaking each. Wo betide the person who has to brief the CEO every time a snafoo emerges that requires a breach notification. Sally Anne Poole, the ICO’s acting Head of Enforcement, could well be spending more time than she actually wanted dealing with the perceived failings of the CSPs – despite the fact that they are all relatively well resourced organizations with professional compliance teams who try as hard as they can to get things right.

I do hope that the ICO takes such factors into account when receiving yet another report of a minor breach. Companies with large customer databases are likely to incur a few breaches - but at least they're unlikely to relate to information as sensitive as the health records that can get lost by less well resourced organisations within the NHS.

While the CSPs may not be required to tell customers of trivial breaches, of course individuals will always be able to write to the ICO to make a Freedom of Information request about the volumes of breaches that have been reported to them by particular CSPs. And the ICO will not have to warn the CSP of such an enquiry - so the first time the CSP may know about it is when the media report emerges about the volumes of notices that each CSP had generated.

This “backdoor publicity” about data breach volumes could cause some CSPs to query the necessity of advising the ICO of all breaches. Will the risk of incurring a potential fine of £1,000 (if the breach subsequently becomes public) be worth running if the business fears that the reputational cost of publicising the most minor of breaches are far greater than £1,000? This is surely the sort of issue that listeners of BBC Radio 4’s excellent programme The Moral Maze would want to explore.

What side would I be on? Well, you’ll just have to wait until I’m asked to be a Moral Maze panelist (or witness) – and then you’ll find out!

There’s lots more to mull over in these new Regulations, but they can wait for another blog posting.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.